Low-rank parity-check codes over Galois rings

Low-rank parity-check (LRPC) codes are rank-metric codes over finite fields, which have been proposed by Gaborit et al. (Proceedings of the workshop on coding and cryptography WCC, vol 2013, 2013) for cryptographic applications. Inspired by a recent adaption of Gabidulin codes to certain finite rings by Kamche et al. (IEEE Trans Inf Theory 65(12):7718–7735, 2019), we define and study LRPC codes over Galois rings—a wide class of finite commutative rings. We give a decoding algorithm similar to Gaborit et al.’s decoder, based on simple linear-algebraic operations. We derive an upper bound on the failure probability of the decoder, which is significantly more involved than in the case of finite fields. The bound depends only on the rank of an error, i.e., is independent of its free rank. Further, we analyze the complexity of the decoder. We obtain that there is a class of LRPC codes over a Galois ring that can decode roughly the same number of errors as a Gabidulin code with the same code parameters, but faster than the currently best decoder for Gabidulin codes. However, the price that one needs to pay is a small failure probability, which we can bound from above.


Introduction
Rank-metric codes are sets of matrices whose distance is measured by the rank of their difference.Over finite fields, the codes have found various applications in network coding, cryptography, space-time coding, distributed data storage, and digital watermarking.The first rank-metric codes were introduced in [6,9,21] and are today called Gabidulin codes.Motivated by cryptographic applications, Gaborit et al. introduced low-rank parity-check (LRPC) in [1,10].They can be seen as the rank-metric analogs of low-density parity-check codes in the Hamming metric.LRPC codes have since had a stellar career, as they are already the core component of a second-round submission to the currently running NIST standardization process for post-quantum secure public-key cryptosystems [16].They are suitable in this scenario due to their weak algebraic structure, which prevents efficient structural attacks.Despite this weak structure, the codes have an efficient decoding algorithm, which in some cases can decode up to the same decoding radius as a Gabidulin code with the same parameters, or even beyond [1].A drawback is that for random errors of a given rank weight, decoding fails with a small probability.However, this failure probability can be upper-bounded [1,10] and decreases exponentially in the difference between maximal decoding radius and error rank.The codes have also found applications in powerline communications [28] and network coding [18].
Codes over finite rings, in particular the ring of integers modulo m, have been studied since the 1970s [3,4,23].They have, for instance, be used to unify the description of good non-linear binary codes in the Hamming metric, using a connection via the Gray mapping from linear codes over Z 4 with high minimum Lee distance [12].This Gray mapping was generalized to arbitrary moduli m of Zm in [5].Recently, there has been an increased interest in rank-metric codes over finite rings due to the following applications.Network coding over certain finite rings was intensively studied in [7,11], motivated by works on nested-lattice-based network coding [8,17,25,27] which show that network coding over finite rings may result in more efficient physical-layer network coding schemes.Kamche et al. [13] showed how lifted rank-metric codes over finite rings can be used for error correction in network coding.The result uses a similar approach as [22] to transformation the channel output into a rank-metric error-erasure decoding problem.Another application of rank-metric codes over finite rings are space-time codes.It was first shown in [14] how to construct space-time codes with optimal rate-diversity tradeoff via a rank-preserving mapping from rank-metric codes over Galois rings.This result was generalized to arbitrary finite principal ideal rings in [13].The use of finite rings instead of finite fields has advantages since the rank-preserving mapping can be chosen more flexibly.Kamche et al. also defined and extensively studied Gabidulin codes over finite principal ideal rings.In particular, they proposed a Welch-Berlekamplike decoder for Gabidulin codes and a Gröbner-basis-based decoder for interleaved Gabidulin codes [13].
Motivated by these recent developments on rank-metric codes over rings, in this paper we define and analyze LRPC codes over Galois rings.Essentially, we show that Gaborit et al.'s construction and decoder work as well over these rings, with only a few minor technical modifications.The core difficulty of proving this result is the significantly more involved failure probability analysis, which stems from the weaker algebraic structure of rings compared to fields: the algorithm and proof are based on dealing with modules over Galois rings instead of vector spaces over finite fields, which behave fundamentally different since Galois rings are usually not integral domains.We also provide a thorough complexity analysis.The results can be summarized as follows.

Main Results
Let p be a prime and r, s be positive integers.A Galois ring R of cardinality p rs is a finite Galois extension of degree s of the ring Z p r of integers modulo the prime power p r .As modules over R are not always free (i.e., have a basis), matrices over R have a rank and a free rank, which is always smaller or equal to the rank.We will introduce these and other notions formally in Section 2.
In Section 3, we construct a family of rank-metric codes and a corresponding family of decoders with the following properties: Let m, n, k, λ be positive integers such that λ is greater than the smallest divisor of m and k fulfills k ≤ λ−1 λ n.The constructed codes are subsets C ⊆ R m×n of cardinality |C| = |R| mk .Seen as a set of vectors over an extension ring of R, the code is linear w.r.t.this extension ring.We exploit this linearity in the decoding algorithm.
Furthermore, let t be a positive integer with t < min m λ(λ+1)/2 , n−k+1 λ .Let C ∈ C be a (fixed) codeword and let E ∈ R m×n be chosen uniformly at random from all matrices of rank t (and arbitrary free rank).Then, we show in Section 5 that the proposed decoder in Section 4 recovers the codeword C with probability at least Hence, depending on the relation of p s and t, the success probability is positive for and converges exponentially fast to 1 in the difference tmax − t.Note that for λ = 2 The decoder has complexity Õ(λ 2 n 2 m) operations in R (see Section 6).In Section 7, we present simulation results.
Example 1 Consider the case p = 2, s = 4, r = 2, m = n = 101, k = 40, and λ = 2.Then, the decoder in Section 4 can correct up to tmax = ⌊ n−k 2 ⌋ = 30 errors with success probability at least 1 − 2 −6 .For t = 24 errors, the success probability is already ≈ 1 − 2 −46 and for t = 18, it is ≈ 1 − 2 −102 .A Gabidulin code as in [13], over the same ring and the same parameters, can correct any error of rank up to 30 (i.e., the same maximal radius).However, the currently fastest decoder for Gabidulin codes over rings [13] has a larger complexity than the LRPC decoder in Section 4.
The results of this paper were partly presented at the IEEE International Symposium on Information Theory 2020 [20].Compared to this conference version, we generalize the results in two ways: first, we consider LRPC codes over the more general class of Galois rings instead of the integers modulo a prime power.This is a natural generalization since Galois rings share with finite fields many of the properties needed for dealing with the rank metric.Indeed, they constitute the common point of view between finite fields and rings of integers modulo a prime power.Second, the conference version only derives a bound on the failure probability for errors whose free rank equals their rank.For some applications, this is no restriction since the error can be designed, but for most communications channels, we cannot influence the error and need to correct also errors of arbitrary rank profile.Hence, we provide a complete analysis of the failure probability for all types of errors.

Notation
Let A be any commutative ring.We denote modules over A by calligraphic letters, vectors as bold small letters, and matrices as bold capital letters.We denote the set of m × n matrices over the ring A by A m×n and the set of row vectors of length n over A by A n = A 1×n .Rows and columns of m × n matrices are indexed by 1, . . ., m and 1, . . ., n, where X i,j denotes the entry in the i-th row and j-th column of the matrix X.Moreover, for an element a in a ring A, we denote by Ann(a) the ideal Ann(a) = {b ∈ A | ab = 0}

Galois Rings
A Galois ring R := GR(p r , s) is a finite local commutative ring of characteristic p r and cardinality p rs , which is isomorphic to Z[z]/(p r , f (z)), where f (z) is a polynomial of degree s that is irreducible modulo p.Let m be the unique maximal ideal of R. It is also well-known that R is a finite chain ring and all its ideals are powers of m such that r is smallest positive integer r for which m r = {0}.Since Galois rings are principal ideal rings, m is generated by one ring element.We will call such a generator gm (which is unique up to invertible multiples).Note that in a Galois ring this element can always be chosen to be p.Moreover, R/m is isomorphic to the finite field F p s .
In this setting, it is well-known that there exists a unique cyclic subgroup of R * of order p s − 1, which is generated by an element η.The set Ts := {0} ∪ η is known as Teichmüller set of R. Every element a ∈ R has hence a unique representation as We will refer to this as the Teichmüller representation of a.For Galois rings, this representation coincides with the p-adic expansion.If, in addition, one chooses the polynomial h(z) to be a Hensel lift of a primitive polynomial in Fp[x] of degree s, then the element η can be taken to be one of the roots of h(z).Here, for Hensel lift of a primitive polynomial h(z The interested reader is referred to [2,15] for a deeper understanding on Galois rings.

Extensions of Galois rings
Let h(z) ∈ R[z] be a polynomial of degree m such that the leading coefficient of h(z) is a unit and h(z) is irreducible over the finite field R/m.Then, the Galois ring R[z]/(h(z)) is denoted by S. We have that S is the Galois ring GR(p r , sm), with maximal ideal M = mS.Moreover, it is known that subrings of Galois rings are Galois rings and that for every ℓ dividing m there exists a unique subring of S which is a Galois extension of degree ℓ of R.These are all subrings of S that contain R. In particular there exists a unique copy of R in S, and we can therefore consider (with a very small abuse of notation) R ⊆ S. In particular, we have that gm is also the generator of M in S.
As for R, also S contains a unique cyclic subgroup of order p sm − 1, and we can consider the Teichmüller set Tsm as the union of such a subgroup together with the 0 element.Hence, every a ∈ S has a unique representation as The number of units in S is given by From now on and for the rest of the paper, we will always denote by R the Galois ring GR(p r , s), and by S the Galois ring GR(p r , sm).

Smith Normal Form
The Smith normal form is well-defined for both R and S, i.e., for A ∈ R m×n , there are invertible matrices S ∈ R m×m and T ∈ R n×n such that D = SAT ∈ R m×n is a diagonal matrix with diagonal entries d 1 , . . ., d min{n,m} with The same holds for matrices over S, where we replace m by M (note that M r = {0} and M r−1 = {0} for the same r).The rank and the free rank of A (w.r.t. a ring A ∈ {S, R}) is defined by rk(A) := |{i ∈ {1, . . ., min{m, n}} : D i,i = 0}| and frk(A) := |{i ∈ {1, . . ., min{m, n}} : D i,i is a unit}|, respectively, where D is the diagonal matrix of the Smith normal form w.r.t. the ring R.

Modules over Finite Chain Rings
The ring S is a free module over R of rank m.Hence, elements of S can be treated as vectors in R m and linear independence, R-subspaces of S and the R-linear span of elements are well-defined.Let γ = [γ 1 , . . ., γm] be an ordered basis of S over R. By utilizing the module space isomorphism S ∼ = R m , we can relate each vector a ∈ S n to a matrix A ∈ R m×n according to extγ : S n → R m×n , a → A, where a j = m i=1 A i,j γ i , j ∈ {1, . . ., n}.The (free) rank norm (f)rk R (a) is the (free) rank of the matrix representation A, i.e., rk R (a) := rk(A) and frk R (a) := frk(A), respectively.
Using a polyomial basis γ = [1, z, z 2 ], the matrix representation of a is and the Smith normal form of A is given by a is a unit in S.
-At least one a i is a unit in R.
-{a} is linearly independent over R.
The R-linear module that is spanned by v 1 , . . ., v ℓ ∈ S is denoted by v 1 , . . ., v ℓ R := ℓ i=1 a i v i : a i ∈ R .The R-linear module that is spanned by the entries of a vector a ∈ S n is called the support of a, i.e., supp R (a) := a 1 , . . ., an R .Further, A • B denotes the product module of two submodules A and B of S, i.e.,

Valuation in Galois Rings
We define the valuation of a ∈ R \ {0} as the unique integer v(a) ∈ {0, . . ., r − 1} such that a ∈ m v(a) \ m v(a)+1 , and set v(0) := r.In the same way, the valuation of b ∈ S \ {0} as the unique integer and v(0) = r.
Let {γ 1 , . . ., γm} be a basis of S as R-module.It is easy to see that for a = m i=1 a i γ i ∈ S \ {0}, where a i ∈ R (not all 0), we have v(a) = min i=1,...,m {v(a i )}. ( Since an element is a unit if and only if its valuation is equal to 0, only the elements a and d are units.

Rank Profile of a Module and m-Shaped Bases
Let M be an R-submodule of S and d 1 , . . ., dn be diagonal entries of a Smith normal form of a matrix whose row space is M. Define the rank profile of M to be the polynomial Note that φ M (x) is independent of the chosen matrix and Smith normal form since the diagonal entries d i are unique up to multiplication by a unit.We can easily read the free rank and rank from the rank profile Example 6 Consider the ring R = GR (8,3) as defined in Example 3, where as gen- erator of m we take gm = 2. Take a module M whose diagonal matrix in the Smith We have On Z[x]/(x r ), we define the following partial order .
Definition 1 Let a(x), b(x) ∈ Z[x]/(x r ).We say that a(x) b(x) if for every i ∈ {0, . . ., r − 1} we have i j=0 Remark 1 The partial order on rank profiles is compatible with the containment of submodules.That is, if Clearly the opposite implication is not true in general.
For D and T as in the Smith normal form of a matrix over R, observe that the nonzero rows of the matrix DT −1 produce a set of generators for the R-module generated by the rows of A, which is minimal and of the form A generating set coming from the Smith Normal Form as described above will be called m-shaped basis.Alternatively, a m-shaped basis for a R-module M is a generating set submodule of R n can be seen as the rowspace of a matrix, and hence it decomposes as where R is a free module.However, this decomposition depends on the chosen m-shaped basis Γ .
For a module M with m- i }, we have the following: Let e ∈ M and be two different representations of e in the m-shaped basis with coefficients e i,ℓi , e ′ i,ℓi ∈ R, respectively.Then, we have e i,ℓi ≡ e ′ i,ℓi mod g r−i m for all 0 ≤ i ≤ r − 1 and 1 ≤ ℓ i ≤ φ M i .This is due to the fact that by definition of m-shaped basis, the set i } is linear independent over R, and hence (e i,ℓi − e ′ i,ℓi )g i m = 0 for every i, ℓ i .Therefore, the representation of an element in M with respect to a m-shaped basis have uniquely determined coefficients e i,ℓi modulo Ann(g i m ) = m r−i .
Lemma 1 Let M be an R-submodule of S with rank-profile φ M and let j ∈ {1, . . ., r − 1}.Then, the rank-profile of m j M is given by In particular, the rank of m j M is equal to Proof Let gm be a generator of m.
m-shaped basis for M , then it is easy to see that is a m-shaped basis for m j M. Hence, the first j coefficients of φ m j M (x) are equal to zero, while the remaining ones are the j-th shift of the first r − j coefficients of φ M (x).

⊓ ⊔
Proposition 1 For any pair of R-submodules M 1 , M 2 of S, we have Proof Let gm be a generator of m.Let M 1 , M 2 be two R-submodules with rank-profile φ M1 and φ M2 respectively.Then, there exist a minimal generating set of M 1 given by and a minimal generating set of M 2 given by In particular, the product set The general inequality for the truncated sums then follows by considering the rank of the submodule m j (M 1 • M 2 ) and Lemma 1.

LRPC Codes Over Galois Rings
Definition 2 Let k, n, λ be positive integers with 0 < k < n.Furthermore, let F ⊆ S be a free R-submodule of S of rank λ.A low-rank parity-check (LRPC) code with parameters λ, n, k is a code with a parity-check matrix H ∈ S (n−k)×n such that Note that an LRPC code is a free submodule of S n of rank k.This means that the cardinality of the code is |S| k = |R| mk = p rsmk .We define the following three additional properties of the parity-check matrix that we will use throughout the paper to prove the correctness of our decoder and to derive failure probabilities.As for rankmetric codes over finite fields, we can interpret vectors over S as matrices over R by the R-module isomorphism S ≃ R m .In particular, an LRPC code can be seen as a subset of R m×n .
Definition 3 Let λ, F, and H be defined as in Definition 2. Let f 1 , . . ., f λ ∈ S be a free basis of F. For i = 1, . . ., n − k, j = 1, . . ., n, and ℓ = 1, . . ., λ, let h i,j,ℓ ∈ R be the unique elements such that H i,j = λ ℓ=1 h i,j,ℓ f ℓ .Define Then, H has the 2. maximal-row-span property if every row of the parity-check matrix H spans the entire space F,

unity property if every entry
Furthermore, we say that F has the base-ring property if 1 ∈ F.
In the original papers about LRPC codes over finite fields, [1,10], some of the properties of Definition 3 are used without explicitly stating them.
We will see in Section 4.2 that the unique-decoding property together with a property of the error guarantees that erasure decoding always works (i.e., that the full error vector can be recovered from knowing the support and syndrome of an error).This property is also implicitly used in [10].It is, however, not very restrictive: if the parity-check matrix entries H i,j are chosen uniformly at random from F, this property is fulfilled with the probability that a random λ(n − k) × n matrix has full (free) rank n.This probability is arbitrarily close to 1 for increasing difference of λ(n − k) and n (cf.[19] for the field and Lemma 7 in Section 5.2 for the ring case).
We will use the maximal-row-span property to prove a bound on the failure probability of the decoder in Section 5.It is a sufficient condition that our bound (in particular Theorem 3 in Section 5) holds.Although not explicitly stated, [1, Proposition 4.3] must also assume a similar or slightly weaker condition in order to hold.It does not hold for arbitrary parity-check matrices as in [1, Definition 4.1] (see the counterexample in Remark 4 in Section 5).This is again not a big limitation in general for two reasons: first, the ideal codes in [1, Definition 4.2] appear to automatically have this property, and second, a random parity-check matrix has this property with high probability.
In the case of finite fields, the unity property is no restriction at all since the units of a finite field are all non-zero elements.That is, we have F = F.Over rings, we need this additional property as a sufficient condition for one of our failure probability bounds (Theorem 3 in Section 5).It is not a severe restriction in general, since which is relatively close to 1 for large p s and comparably small λ.
Finally, Gaborit et al. [10] also used the base-ring property of F. In contrast to the other three properties in Definition 3, this property only depends on F and not on H.We will also assume this property to derive a bound on the probability of one possible cause of a decoding failure event in Section 5.3.

The Main Decoder
Fix λ and F as in Definition 2. Let f 1 , . . ., f λ ∈ S be a free basis of F. Note that since the f i are linearly independent, the sets {f i } are linearly independent, which by the discussion in Section 2 implies that all the f i are units in S. Hence, f −1 i exists for each i.We will discuss erasure decoding (Line 6) in Section 4.2.

Algorithm 1: LRPC Decoder
Input: -LRPC parity-check matrix H (as in Definition 2) -r = c + e, such that c is in the LRPC code C given by H and -The support of e is a module of rank t.
Output: Codeword c ′ of C or "decoding failure" Algorithm 1 recovers the support E of the error e if E ′ = E .A necessary (but not sufficient) condition for this to be fulfilled is that we have S = E • F. Furthermore, we will see in Section 4.2 that we can uniquely recover the error vector e from its support E and syndrome s if the the parity-check matrix fulfills the unique decoding property and we have φ E•F = φ E φ F .Hence, decoding works if the following three conditions are fulfilled: We call the case that at least one of the three conditions is not fulfilled a (decoding) failure.We will see in the next section (Section 5) that whether an error results in a failure depends solely on the error support E .Furthermore, given an error support that is drawn uniformly at random from the modules of a given rank profile φ, the failure probability can be upper-bounded by a function that depends only on the rank of the module (i.e., φ E (1)).
In Section 6, we will analyze the complexity of Algorithm 1.The proofs in that section also indicate how the algorithm can be implemented in practice.
Remark 2 Note that the success conditions above imply that for an error of rank φ E (1) = t, we have λt ≤ m (due to the product condition) as well as λ ≥ n n−k (due to the unique-decoding property).Combined, we obtain t ≤ m n−k n = m(1 − R), where R := k n is the rate of the LRPC code.

Erasure Decoding
As its name suggests, the unique decoding property of the parity-check matrix is related to unique erasure decoding, i.e., the process of obtaining the full error vector e after having recovered its support.The next lemma establishes this connection.
Lemma 2 (Unique Erasure Decoding) Given a parity-check matrix H that fulfills the unique-decoding property.Let E be a free support of rank t then, for any syndrome s ∈ S n−k , there is at most one error vector e ∈ S n with support E that fulfills He ⊤ = s ⊤ .
Proof Let f 1 , . . ., f λ be a basis of the free module F. Furthermore, let ε 1 , . . ., ε t be an m-shaped basis of M. To avoid too complicated sums in the derivation below, we use a slightly different notation as in the definition of m-shaped basis and write we have that f i εκ for i = 1, . . ., λ and κ = 1, . . ., t is an m-shaped basis of the product space E • F. Any entry of the parity-check matrix H has a unique representation H i,j = λ ℓ=1 h i,j,ℓ f ℓ for h i,k,ℓ ∈ R. Furthermore, any entry of error vector e = [e 1 , . . ., en] can be represented as e j = t κ=1 e j,κ εκ, where the e j,κ ∈ R are unique modulo m r−v (εκ) .
We want to recover the error vector e from the syndrome s = [s 1 , . . ., s n−k ] ⊤ , which are related by definition as follows: Hence, for any representation e j,κ of the error e, there is a representation s i,ℓ,κ of s.
We can rewrite this into t independent linear systems of equations of the form for each κ = 1, . . ., t, where Hext ∈ R (n−k)λ×n is independent of κ and defined as in (3).
By the unique decoding property, Hext has more rows than columns (i.e, (n−k)λ ≥ n) and full free rank and rank (equal to n).Hence, each system in (4) has a unique solution e (κ) .
It is left to show that any representation s i,ℓ,κ of s in the m-shaped basis f i εκ of E • F yields the same error vector e.Recall that s i,ℓ,κ is unique modulo m r−v(εi) (note that v(f i εκ) = v(εκ)).Assume now that we have a different representation, say where χ ∈ R (n−k)λ .Then the unique solution e ′ (κ) of the linear system s ′ (κ) Hexte ′ (κ) is of the form e ′ (κ) = e (κ) + g r−v(εκ) m µ for some µ ′ ∈ R (n−k)λ .Hence, e ′ (κ) ≡ e (κ) mod m r−v(εκ) , which means that the two representations e ′ (κ) and e (κ) belong to the same error e.
This shows that we can take any representation of the syndrome vector s, solve the system in (4) for e (κ) for κ = 1, . . ., t, and obtain the unique error vector e corresponding to this syndrome s and support E .⊓ ⊔

Failure Probability
Consider an error vector e that is chosen uniformly at random from the set of error vectors whose support is a module of a given rank profile φ ∈ Z[x]/(x r ) and rank φ(1) = t.In this section, we derive a bound on the failure probability of the LRPC decoder over Galois rings for this error model.The resulting bound does not depend on the whole rank profile φ, but only on the rank t.This section is the most technical and involved part of the paper.Therefore, we derive the bound in three steps, motivated by the discussion on failure conditions in Section 4: In Section 5.1, we derive an upper bound on the failure probability of the product condition.Section 5.2 presents a bound on the syndrome condition failure probability conditioned on the event that the product condition is fulfilled.Finally, in Section 5.3, we derive a bound on the intersection failure probability, given that the first conditions are satisfied.
The proof strategy is similar to the analogous derivation for LRPC codes over fields by Gaborit et al. [10].However, our proof is much more involved for several reasons: we need to take care of the weaker structure of Galois rings and modules over them, e.g., zero divisors and the fact that not all modules have bases and thus module elements may not be uniquely represented in a minimal generating set; -we correct a few (rather minor) technical inaccuracies in the original proof; and some for finite fields well-known prerequisite results (e.g., the number of matrices of a certain rank) are, to the best of our knowledge, not known over Galois rings.
Before analyzing the three conditions, we show the following result, whose implication is that if e is chosen randomly as described above, then the random variable E , the support of the chosen error, is also uniformly distributed on the set of modules with rank profile φ.Note that the analogous statement for errors over a finite field follows immediately from linear algebra, but here, we need a bit more work.
) with nonnegative coefficients and let E be an Rsubmodule of S with rank profile φ(x).Then, the number of vectors e ∈ S n whose support is equal to E only depends on φ(x).
, and let Γ be a m-shaped basis for E .Then, the vector e whose first N entries are the element of Γ and whose last n − N entries are 0 is a vector whose support is equal to E .Moreover, all the vectors in S n whose support is equal to E are of the form (Ae ⊤ ) ⊤ , for A ∈ GL(n, R).Let us fix a basis of S so that we can identify S with R m .In this representation, e ⊤ corresponds to a matrix DT , where and T ∈ R n×m has linearly independent rows over R.Then, the vectors in S n whose support is equal to E correspond to matrices ADT for A ∈ GL(n, R), and their number is equal to the cardinality of the set The group GL(n, R) left acts on Vec(E, n) and, by definition, its action is transitive.
Hence, by the orbit-stabilizer theorem, we have Hence, we need to count how many matrices A ∈ GL(n, R) satisfy Let us call S := A − In and divide it in r + 1 block S i ∈ R n×ni for i ∈ {0, . . ., r − 1} and Sr ∈ R n×(n−N ) .Moreover, do the same with T , dividing it in r + 1 blocks T i ∈ R ni×m for i ∈ {0, . . . ,r − 1} and T r ∈ R (n−N )×m .Therefore, we get Since the rows of T are linearly independent over R, this is true if and only if S i ∈ m r−i R n×ni .This condition clearly only depends on the values n i 's, and hence on φ(x).

Failure of Product Condition
The product condition means that the product space of the randomly chosen support E and the fixed free module F (in which the parity-check matrix coefficients are contained) has maximal rank profile φ E•F = φ E φ F .If E was a free module, the condition would translate to E • F being a free module of rank λt.In fact, our proof strategy reduces the question if φ E•F = φ E φ F to the question whether a free module of rank t, which is related to E , results in a product space with the free module F of maximal rank profile.Hence, we first study this question for products of free modules.This part of the bound derivation is similar to the case of LRPC codes over finite fields (cf.[1]), but the proofs and counting arguments are more involved since we need to take care of non-units in the ring.
Lemma 4 Let α ′ , β be non-negative integers with (α ′ + 1)β < m.Further, let A ′ , B be free submodules of S of free rank α ′ and β, respectively, such that also A ′ • B is a free submodule of S of free rank α ′ β.For an element a ∈ S * , chosen uniformly at random, let A := A ′ + a .Then, we have Proof First note that since a is a unit in S, the mapping ϕa : B → S, b → ab is injective.This means that aB is a free module with frk R (aB Let c be chosen uniformly at random from S. Recall that a is chosen uniformly at random from S * .Then, This holds since if c is chosen to be a non-unit in S, then the statement "∃ b ∈ B \ {0} : cb ∈ A ′ • B" is always true.To see this, write c = gmc ′ for some c ′ ∈ S. Since β > 0, and b is from B and non-zero.Now we bound the right-hand side of (6) as follows Since b * is a unit in S, for uniformly drawn c, cb * is also uniformly distributed on S.
Hence, cb * g j m is uniformly distributed on the ideal M j of S (the mapping S → M j , χ → χg j m is surjective and maps equally many elements to the same image) and we , an element c ∈ A ′ • B is in M j if and only if it can be written as c = i µ i v i , where µ i ∈ m j for all i. Hence, . Overall, we get Furthermore, we have (note that M j+1 ⊆ M j ) Combining and simplifying ( 5), ( 6), (7), and (8) we obtain the desired result.

⊓ ⊔
Lemma 5 Let B be a fixed free submodule of S with frk R (B) = β.For a positive integer α with αβ < m, let A be drawn uniformly at random from the set of free submodules of S of free rank α.Then, Proof Drawing a free submodule A ⊆ S of rank α uniformly at random is equivalent to drawing iteratively A 0 := {0}, A i := A i−1 + a i for i = 1, . . ., α where for each iteration i, the element a i ∈ S is chosen uniformly at random from the set of vectors that are linearly independent of A i−1 .The equivalence of the two random experiments is clear since the possible choices of the sequence a 1 , . . ., aα gives exactly all bases of free R-submodules of S of rank α.Furthermore, all sequences are equally likely and each resulting submodule has the same number of bases that generate it (which equals the number of invertible α × α matrices over R).We have the following recursive formula for any i = 1, . . ., α: where ( * ) follows from Lemma 4 by the following additional argument: β ∧ a i linearly independent and its span trivially intersects with where the last inequality is exactly the statement of Lemma 4. By Pr frk R (A 0 B) < 0 = 0, we get This proves the claim.

⊓ ⊔
Recall that the error support E is not necessarily a free module.In the following sequence of statements, we will therefore answer the question how the results of Lemmas 4 and 5 can be used to derive a bound on the product condition failure probability.
To achieve this, we study the following free modules related to modules of arbitrary rank profile.Note that this part of the proof differs significantly from LRPC codes over finite fields, where all modules are vector spaces, and thus free.
For a module M ⊆ S with m-shaped basis Γ , define F(Γ ) ⊆ S be the free module that is obtained from M as follows: Let us write where the elements a i,ℓi are all reduced modulo M r−i , that is, the Teichmüller representation of a i,ℓi is of the form This is clearly possible since if we add to a i,ℓi an element y ∈ M r−i = (g r−i m ), then i }, and F(Γ ) := F (Γ ) R .The fact that F(Γ ) is free directly follows from considering its Smith Normal Form, which tells us that in the matrix representation it is spanned by (some of) the rows of an invertible matrix in GL(m, R).In particular, we have frk R (F(Γ )) = rk R (M).
At this point, for two different m-shaped bases Γ, Λ of M, one could ask whether F(Γ ) = F(Λ).The answer is affirmative, and it can be deduced from the following result.
Proposition 2 Let n 0 , . . ., n r−1 ∈ N be nonnegative integers, let N := n 0 +. ..+n r−1 and let D ∈ R N ×N be a diagonal matrix given by Moreover, let T 1 , T 2 ∈ R r×m be such that the rows of T i are R-linearly independent for each i ∈ {1, 2}.Then, the rowspaces of DT 1 and DT 2 coincide if and only if for every i, j ∈ {0, . . ., r − 1} there exist Y i,j ∈ R ni×nj with Y i,i ∈ GL(n i , R) and where Proof The rowspaces of DT 1 and DT 2 coincide if and only if there exists a matrix X ∈ GL(N, R) such that XDT 1 = DT 2 .Divide T ℓ in r blocks T ℓ,i ∈ R ni×m for i ∈ {0, . . ., r − 1} and divide X in r × r blocks X i,j ∈ R ni×nj for i, j ∈ {0, . . ., r − 1}.
Hence, from XDT 1 = DT 2 we get Since the rows of T 1 are R-linearly independent, (9) implies that g j m X i,j ∈ g i m R ni×nj .This shows that , for some Y i,j ∈ R ni×nj .Observe now that X = U + gmL, where Since X is invertible and gmL is nilpotent, then U is also invertible and hence Y i,i ∈ GL(n i , R), for every i ∈ {0, . . ., r − 1}.At this point, observe that XD = DY , from which we deduce This implies that the ith block of m R ni×m and we conclude.
⊓ ⊔ Let M be an R-submodule of S. Proposition 2 implies that if we restrict to take i } such that the elements a i,ji have Teichmüller representation then the module F(Γ ) is well-defined and does not depend on the choice of Γ .
Definition 4 We define F(M) to be the space F(Γ ), where i } is any m-shaped basis such that the elements a i,ji have Teichmüller representation as in (10).
The following two corollaries follow from observations in Proposition 2. We will use them to show that for certain uniformly chosen modules M, the corresponding free modules F(M) are uniformly chosen from the set of free modules of rank equal to the rank of M. The proofs can be found in Appendix A. Now, for a given R-submodule of S we consider all the free modules that comes from a m-shaped basis for M.More specifically, we set Free(M) := A |A is free with frk R (A) = rk R (M) and ∃{a i,ℓi } basis of A such that {g i m a i,ℓi } is a m-shaped basis for M .
In fact, even though for the R-module M there is a unique free module F(M) as explained in Definition 4, we have more than one free module A belonging to Free(M).
The exact number of such free modules is given in the following Corollary.
Corollary 1 Let M be an R-submodule of S with rank profile φ M (x) and rank In particular, |Free(M)| only depends on φ M (x).
Proof See Appendix A.

⊓ ⊔
Now we estimate an opposite quantity.For a fixed rank profile φ(x) with φ(1) ≤ m, and given a free R-submodule N of S with free rank frk R (N ) = φ(1), for how many R-submodules M of S with rank profile φ M (x) = φ(x) the module N belongs to Free(M)?Formally, we want to estimate the cardinality of the set Proof See Appendix A.

⊓ ⊔
We need the following lemma to derive a sufficient condition for the product of two modules to have a maximal rank profile.
Lemma 6 Let M be an R-submodule of S, and let A, B ∈ Free(M).Moreover, let N be a free R-submodule of S.Then, are two m-shaped bases for M, and let ∆ = {u 1 , . . ., u t } be a basis for N .Assume that ∆ • A = {u ℓ a i,ji } has rk R (M)frk R (N ) linearly independent elements over R. By symmetry, it is enough to show that this implies N • B is free.By Proposition 2, we know that there exists Hence, we need to prove that the elements {u ℓ (a i,ji + gmx i,ji )} are linearly independent over R.
Suppose that there exists λ ℓ,i,ji ∈ R such that ℓ,i,ji λ ℓ,i,ji u ℓ (a i,ji + gmx i,ji ) = 0, hence, rearranging the sum, we get Multiplying both sides by g r−1 m we obtain m u ℓ a i,ji = 0, and since by hypothesis {u ℓ a i,ji } is a basis, this implies λ ℓ,i,ji ∈ Ann(g r−1 m ) = m and therefore there exist λ ′ ℓ,i,ji ∈ R, such that λ ℓ,i,ji = g m λ ′ ℓ,i,ji .Thus, (11) becomes Now, multiplying both sides by g r−2 m and with the same reasoning as before, we obtain that all the λ ′ ℓ,i,ji ∈ m and the right-hand side of (11) belongs to m 3 .Iterating this process r − 2 times, we finally get that the right-hand side of (11) belongs to m r = (0), and therefore (11) corresponds to ℓ,i,ji λ ℓ,i,ji u ℓ a i,ji = 0, which, by hypothesis implies λ ℓ,i,ji = 0 for every ℓ, i, j i .This concludes the proof, showing that the elements {u ℓ (a i,ji + gmx i,ji )} are linearly independent over R. ⊓ ⊔ With the aid of Lemma 6 we can show that the property for the product of two arbitrary R-modules M 1 , M 2 of having maximal rank profile (according to Definition 1) depends on the free modules F(M 1 ) and F(M 2 ) and on their product.
Proposition 3 Let M 1 and M 2 be submodules of S. If the product of free modules Moreover, if we assume that deg(φ M1 (x)) + deg(φ M2 (x)) < r, then also the converse is true.In particular, the converse is true if one of the two modules is free.
Proof First, observe that by Lemma 6 we can take any pair of m-shaped bases Γ 1 and Γ 2 of M 1 and M 2 , respectively.Let us fix m-shaped basis of M 1 and where D ′ is a t × t diagonal matrix whose diagonal elements are all of the form g i+s m for suitable i, s.This shows that A ′ = (D ′ | 0)T is a Smith Normal Form for A ′ and the rank profile φ M1•M2 (x) corresponds to φ M1 (x)φ M2 (x).
On the other hand, if Let SDT be a Smith normal form for M 1 • M 2 , then the elements of F (Γ 1 • Γ 2 ) correspond to the first rk R (M 1 )rk R (M 2 ) rows of matrix T , and hence they are R-linearly independent.Thus, F(M 1 )•F(M 2 ) is free with free rank equal to rk R (M 1 )rk R (M 2 ).

⊓ ⊔
Remark 3 Observe that the second part of Proposition 3 does not hold anymore if we remove the hypothesis that deg(φ Let A ′ , A = A ′ + a and B be three free modules of free rank α − 1, α and β respectively, such that A ′ •B is free of rank (α−1)β, but A•B is not free of rank αβ.Take a basis for A of the form {a 1 , . . ., a α−1 , a} such that {a 1 , . . ., a α−1 } is a basis of A ′ , and fix also a basis {b 1 , . . ., b β } for B.Then, define M 1 to be the R-module whose m-shaped basis is {a 1 , . . ., a α−1 , g r−1 m a}, and define M 2 = mB.Consider the module Observe that B ∈ Free(M 2 ) and by Proposition 3 and Lemma 6, we have that φ M1•M2 (x) = φ M1 (x)φ M2 (x).However, by construction we have A ∈ Free(M 1 ), B ∈ Free(M 1 ) and A • B is not free of rank αβ.Therefore, by Lemma 6 this also holds for F(M 1 ) • F(M 2 ).
We are now ready to put the various statements of this subsection together and prove an upper bound on the failure probability of the product condition-the main statement of this subsection.
Theorem 1 Let B be a fixed R-submodule of S with rank profile φ B (x) and let λ := φ B (1) = rk R (B).Let t be a positive integer with tλ < m and φ(x) ∈ Z[x]/(x r ) with nonnegative coefficients such that φ(1) = t.Let A be an R-submodule of S selected uniformly at random among all the modules with φ A = φ.Then, Proof Let us denote by Mod(φ) the set of all R-submodules of S whose rank profile equals φ.Choose uniformly at random a module A in Mod(φ), and then select X uniformly at random from Free(A).Then, this results in a uniform distribution on the set of all free modules with free rank equal to φ(1) = t, that is the set Mod(t), where t denotes the constant polynomial in Z[x]/(x r ) equal to t.Indeed, for an arbitrary free module N with frk R (N ) = t, which by Corollaries 1 and 2 is a constant number that does not depend on N .Now, suppose that φ A•B = φ A φ B .By Proposition 3, this implies N • N ′ is not a free module of rank tλ, where N is any free module in Free(A) and N ′ is any free module in Free(B).Hence, a free module of free rank tλ , and we conclude using Lemma 5.

⊓ ⊔
As a consequence, we can finally derive the desired upper bound on the product condition failure probability.
Theorem 2 Let F be defined as in Definition 2. Let t be a positive integer with tλ < m and φ(x) ∈ Z[x]/(x r ) with nonnegative coefficients and such that φ(1) = t (recall that this means that an error of rank profile φ has rank t).Let e be an error word, chosen uniformly at random among all error words with support E of rank profile φ E = φ.
Then, the probability that the product condition is not fulfilled is Proof Let us denote by Mod(φ) the set of all R-submodules of S whose rank profile equals φ.By Lemma 3, choosing uniformly at random e among all the words whose support E has rank profile φ results in a uniform distribution on Mod(φ).At this point, the claim follows from Theorem 1. ⊓ ⊔

Failure of Syndrome Condition
Here we derive a bound on the probability that the syndrome condition is not fulfilled, given that the product condition is satisfied.As in the case of finite fields, the bound is based on the relative number of matrices of a given dimension that have full (free) rank.We have not found a result on the number of such matrices over Galois rings in the literature, which is why we first derive it in the next lemma.
Proof First note that NM(1, b; R) = p brs − p b(r−1)s = p brs 1 − p bs since a 1 × b matrices over R is of free rank 1 if and only if at least one entry is a unit.Hence we subtract from the number of all matrices (|R| b = p brs ) the number of vectors that consist only of non-units

)).
Let now for any a ′ ≤ a be A ∈ R a ′ ×b a matrix of free rank a ′ .We define We study the cardinality of V(A).We have frk A ⊤ v ⊤ ⊤ = a ′ if and only if the rows of the matrix Â := A ⊤ v ⊤ ⊤ are linearly dependent.Due to frk(A) = a ′ and the existence of a Smith normal form of A, there are invertibe matrices S and T such that SAT = D, where D is a diagonal matrix with ones on its diagonal.Since S and T are invertible, we can count the number of vectors v ′ such that the rows of the matrix D ⊤ v ′ ⊤ ⊤ are linearly independent instead of the matrix Â (note that v = v ′ T −1 gives a corresponding linearly dependent row in Â).
Since D is in diagonal form with only ones on its diagonal, the linearly dependent vectors are exactly of the form where Hence, we have Note that this value is independent of A.
By the discussion on |V(A)|, we get the following recursive formula:

⊓ ⊔
At this point we can prove the bound on the failure probability of the syndrome condition similar to the one in [10], using Lemma 7. The additional difficulty over rings is to deal with non-unique decompositions of module elements in m-shaped bases and the derivation of a simplified bound on the relative number of non-full-rank matrices.Furthermore, the start of the proof corrects a minor technical impreciseness of Gaborit et al.'s proof.
Theorem 3 Let F be defined as in Definition 2, t be a positive integer with tλ < min{m, n−k+1}, and E be an error space of rank t.Suppose that the product condition is fulfilled for E and F. Suppose further that H has the maximal-row-span and unity properties (cf.Definition 3).
Let e be an error word, chosen uniformly at random among all error words with support E .Then, the probability that the syndrome condition is not fulfilled for e is Proof Let e ′ ∈ S n be chosen such that every entry e ′ i is chosen uniformly at random from the error support E . 1 Denote by Se and S e ′ the syndrome spaces obtained by computing the syndromes of e and e ′ , respectively.Then, we have where the latter equality follows from the fact that the random experiments of choosing e ′ and conditioning on the property that e ′ has support E is the same as directly drawing e uniformly at random from the set of errors with support E .Hence, we obtain a lower bound on Pr Se = E • F by studying Pr S e ′ = E • F , which we do in the following.
Let f 1 , . . ., f λ and ε 1 , . . ., ε t be m-shaped bases of F and E , respectively, such that f j ε i for i = 1, . . ., t, j = 1, . . ., λ form an m-shaped basis of E • F. Note that the existence of such bases is guaranteed by the assumed product condition

Since e ′
i is an element drawn uniformly at random from E , we can write it as e ′ i = t µ=1 e ′ i,µ εµ, where e ′ i,j are uniformly distributed on R. We can assume uniformity of e ′ i,µ since for a given e ′ i , the decomposition of e ′ i,µ is unique modulo m r−v(εi) .In particular, there are equally many decompositions [e ′ i,1 , . . ., e ′ i,t ] for each e ′ i and the sets of these decompositions are disjoint for different i.
Due to the unity property of the parity-check matrix H, we can write any entry H i,j of H as H i,j = λ η=1 h i,j,η fη, where the h i,j,η are units in R or zero.Furthermore, since each row of H spans the entire module F (full-row-span property), for each i and each η, there is at least one j * with h i,j * ,η = 0.By the previous assumption, this means that h i,j * ,η ∈ R * .
Then, each syndrome coefficient can be written as By the above discussion, for each i and η, there is a j * with h i,j * ,η ∈ R * .Hence, s µ,η,i is a sum (with at least one summand) of the products of uniformly distributed elements of R and units of R. A uniformly distributed ring element times a unit is also uniformly distributed on R. Hence s µ,η,i is a sum (with at least one summand) of uniformly distributed elements of R. Hence, s µ,η,i itself is uniformly distributed on R.
All together, we can write , where, by assumption, the ε i f j are a generating set of E • F and the matrix S is chosen uniformly at random from R (n−k)×tλ .If S has full free rank tλ, then we have S e ′ = E • F. By Lemma 7, the probability of drawing such a full-rank matrix is NM(a, b; R) This proves the bound We simplify the bound further using the observation that the product is a q-Pochhammer symbol.Hence, we have for λt < n − k + 1, i.e., |a j | is strictly monotonically decreasing.Since the summands a j have alternating sign, we can thus bound λt j=1 a j ≤ a 1 , which gives In contrast to Theorem 3 the full-row-span property was not assumed in [1, Proposition 4.3], which is the analogous statement for finite fields.However, also the statement in [1,Proposition 4.3] is only correct if we assume additional structure on the parity-check matrix (e.g., that each row spans the entire space F or a weaker condition), due to the following counterexample: Consider a parity-check matrix H that contains only non-zero entries on its diagonal and in the last row, where the diagonal entries are all f 1 and the last row contains the remaining f 2 , . . ., f λ , i.e., . This is a valid parity-check matrix according to [1,Definition 4.1] since the entries of H span the entire space F. However, due to the structure of the matrix, the first n − k − 1 syndromes are all in f 1 E , hence rk R (S) ≤ t + 1 < tλ for any error of support E .

Failure of Intersection Condition
We use a similar proof strategy as in [1] to derive an upper bound on the failure probability of the intersection condition.The following lemma is the Galois-ring analog of [1,Lemma 3.4], where the difference is that we need to take care of the fact that the representation of module elements in an m-shaped basis is not necessarily unique in a Galois ring.Since this hold for any b, we have yB ⊆ B, which proves the claim.

⊓ ⊔
We get the following bound using Lemma 8, Theorem 1, and a similar argument as in [10].
Theorem 4 Let F be defined as in Definition 2 such that it has the base-ring property (i.e., 1 ∈ F).Suppose that no intermediate ring R ′ between R R ′ ⊆ S is contained in F (this holds, e.g., for λ greater than the smallest divisor of m or for special F).
Let t be a positive integer with t λ(λ+1)

2
< m and tλ < n − k + 1, and let φ(x) ∈ Z[x]/(x r ) with nonnegative coefficients such that φ(1) = t.Choose e ∈ S n uniformly at random from the set of vectors with whose support has rank profile φ.
Then, the probability that the intersection condition is not fulfilled, given that syndrome and product conditions are satisfied, is Proof Suppose that the product (φ E•F = φ E φ F ) and syndrome (S = E • F) conditions are fulfilled, and assume that the intersection condition is not fulfilled.Then we have Since E is chosen uniformly at random from all free submodules of S of rank t, we can apply Theorem 1 and obtain that φ where λ ′ := rk R (F 2 ) ≤ 1 2 λ(λ + 1) (this is clear since F 2 is generated by the products of all unordered element pairs of an m-shaped basis of F).
Hence, with probability at least one minus this value, both conditions of Lemma 8 are fulfilled.In that case, there is an element y ∈ F \ R such that yF ⊆ F. Thus, also y i F ⊆ F for all positive integers i, and we have that the ring R(y) extended by the element y / ∈ R fulfills R(y) ⊆ F (this holds since F contains at least one unit).This is a contradiction to the assumption on intermediate rings.

Overall Failure Probability
The following theorem states the overall bound on the failure probability, exploiting the bounds derived in Theorems 2, 3, and 4.
Theorem 5 Let F be defined as in Defintion 2 such that it has the base-ring property (i.e., 1 ∈ F).Suppose that no intermediate ring R ′ between R R ′ ⊆ S is contained in F (this holds, e.g., for λ greater than the smallest divisor of m or for special F).Suppose further that H has the maximal-row-span and unity properties (cf.Definition 3).
Let t be a positive integer with t λ(λ+1)

2
< m and tλ < n − k + 1, and let φ(x) ∈ Z[x]/(x r ) with nonnegative coefficients such that φ(1) = t.Choose e ∈ S n uniformly at random from the set of vectors with whose support has rank profile φ.
Then, Algorithm 1 with input c + e returns c with a failure probability of at most Proof The statement follows by applying the union bound to the failure probabilities of the three success conditions, derived in Theorems 2, 3, and 4.

⊓ ⊔
The simplified bound (14) in Theorem 5 coincides up to a constant with the bound by Gaborit et at.[10] in the case of a finite field (Galois ring with r = 1).If we compare an LRPC code over a finite field of size p rs and with an LRPC code over a Galois ring with parameters p, r, s (i.e., the same cardinality), then we can observe that the bounds have the same exponent, but the base of the exponent is different: It is p rs for the field and p s for the ring case.Hence, the maximal decoding radii tmax (i.e., the maximal rank t for which the bound is < 1) are roughly the same, but the exponential decay in tmax − t for smaller error rank t is slower in case of rings due to a smaller base of the exponential expression.This "loss" is expected due to the weaker structure of modules over Galois rings compared to vector spaces over fields.

Decoding Complexity
We discuss the decoding complexity of the decoding algorithm described in Section 4.Over a field, all operations within the decoding algorithm are well-studied and it is clear that the algorithm runs in roughly Õ(λ 2 n 2 m) operations over the small field Fq.
Although we believe that an analog treatment over the rings studied in this paper must be known in the community, we have not found a comprehensive complexity overview of the corresponding operations in the literature.Hence, we start the complexity analysis with an overview of complexities of ring operations and linear algebra over these rings.

Cost Model and Basic Ring Operations
We express complexities in operations in R. For some complexity expressions, we use the soft-O notation, i.e., f (n ).We use the following result, which follows straightforwardly from standard computer-algebra methods in the literature.
Lemma 9 (Collection of results in [26]) Addition in S costs m additions in R.
Multiplication in S can be done in O(m log(m) log(log(m))) operations in R.
Proof We represent elements of S as residue classes of polynomials in R[z]/(h(z)) (e.g., each residue class is represented by its unique representative of degree < m), where h ∈ R[z] is a monic polynomial of degree m as explained in the preliminaries.Addition is done independently on the m coefficients of the polynomial representation, so it only requires m additions in R. Multiplication consists of multiplying two residue classes in R[z]/(h(z)), which can be done by multiplying the two representatives of degree < m and then taking them modulo (h(z)) (i.e., take the remainder of the division by the monic polynomial h).Both multiplication and division can be implemented in O(m log(m) log(log(m))) time using Schönhage and Strassen's polynomial multiplication algorithm (cf.[26,Section 8.3]) and a reduction of division to multiplication using a Newton iteration (cf.[26,Section 9.1]).Note that both methods work over any commutative ring with 1.

Linear Algebra over Galois Rings
We recall how fast we can compute the Smith normal form of a matrix over R and show that computing the right kernel of a matrix and solving a linear system can be done in a similar speed.Let 2 ≤ ω ≤ 3 be the matrix multiplication exponent (e.g., ω = 2.37 using the Coppersmith-Winograd algorithm).
where the n i are the coefficients of the rank profile φ(x) = r−1 i=0 n i x i ∈ N[x]/(x r ) of A's row space.Then, the rows of the following matrix are an m-shaped basis of the right kernel of D (we denote by η := n 0 the free rank of A's row space and by µ := r−1 i=0 n i ) the rank of A's row space): where Line 4 is called λ times and computes for each f i the set S i = f −1 i S (recall that the inverses f −1 i are precomputed).We obtain a generating set of S i by multiplying f −1 i to all syndrome coefficients s 1 , . . ., s n−k .This costs O(λ(n − k)) operations in S in total, i.e., Õ(λnm) operations in R. If we want a minimal generating set, we can compute the Smith normal form for each S i , which costs Õ(λn ω−1 m) operations in R according to Lemma 10.
Line 5 computes the intersection E ′ ← λ i=1 S i of the modules S i .This can be computed via the kernel computation algorithm as follows: Let A and B be two modules.Then, we have A∩B = K (K(A) ∪ K(B)).Hence, we can compute the intersection A ∩ B by writing generating sets of the modules as the rows of two matrices A and B, respectively.Then, we compute matrices A ′ and B ′ , whose rows are generating sets of the right kernel of A and B, respectively.Then, rows of the matrix C := A ′ B ′ are a generating set of K(A) ∪ K(B), and be obtain A ∩ B by computing again the right Theorem 2, the syndrome condition (B: Synd) derived in Theorem 3, the intersection condition (B: Inter) provided in Theorem 4 and the union bound (B: Dec) stated in Theorem 5. Since the derived bounds depend only on the rank weight t but not on the rank profile, we show each bound only once.
One can observe that the bound on the probability of not fulfilling the syndrome condition is very close to the true probability while the bounds on the probabilities of violating the product and syndrome condition are loose.Gaborit et al. have made the same observation in the case of finite fields.In addition, it seems that only the rank weight but not the rank profile has an impact on the probabilities of violating the success conditions.We also found that the base-ring property of F is-in all tested cases-not necessary for the failure probability bound on the intersection condition (Theorem 4) to hold.It is an interesting question whether we can prove the bound without this assumption, both for finite fields and rings.

Conclusion
We have adapted low-rank parity-check codes from finite fields to Galois rings and showed that Gaborit et al.'s decoding algorithm works as well for these codes.We also presented a failure probability bound for the decoder, whose derivation is significantly more involved than the finite-field analog due to the weaker structure of modules over finite rings.The bound shows that the codes have the same maximal decoding radius as their finite-field counterparts, but the exponential decay of the failure bound has p s as a basis instead of the cardinality of the base ring |R| = p rs (note R is a finite field if and only if r = 1).This means that there is a "loss" in failure probability when going from finite fields to finite rings, which can be expected due to the zero divisors in the ring.
The results show that LRPC codes work over finite rings, and thus can be considered, as an alternative to Gabidulin codes over finite rings, for potential applications of rank-metric codes, such as network coding and space-time codes-recall from the introduction that network and space-time coding over rings may have advantages compared to the case of fields.It also opens up the possibility to consider the codes for cryptographic applications, the main motivation for LRPC codes over fields.
Open problems are a generalization of the codes to more general rings (such as principal ideal rings); an analysis of the codes in potential applications; as well as an adaption of the improved decoder for LRPC codes over finite fields in [1] to finite rings.To be useful for network coding (both in case of fields and rings), the decoder must be extended to handle row and column erasures in the rank metric (cf.[13,22]).: Y i,j ∈ R n i ×n j , Y i,i ∈ GL(n i , R) This means that every module is counted r−1 i=1 s in i N many times and we finally obtain S i,j T j ∈ m r−i R n i ×m .
Since the rows of T are linearly independent over R, this implies that S i,j ∈ m r−i , that is S is of the form 6} and thus rk(A) = rk(D) = 3 and frk(A) = frk(D) = 2.It follows that rk R (a) = 3 and frk R (a) = 2. Let a = m i=1 a i γ i ∈ S, where a i ∈ R. The following statements are equivalent (cf.[13, Lemma 2.4]):

8 return r − e 9 else 10 return
decoding with support E ′ w.r.t. the syndrome s, as described in Lemma 2 (Section 4.2) 7 if There is exactly one solution e of the erasure decoding problem then "decoding failure"

t
linearly independent elements over R. Let A ∈ R t×m be the matrix whose rows are the vectorial representations in R m of the elements in F (Γ 1 ) • F (Γ 2 ).Clearly, a Smith Normal Form for A is A = DT where D = (I t | 0) and T ∈ GL(n, R) is any invertible matrix whose first t × m block is equal to A. By definition Γ 1 • Γ 2 is a generating set for M 1 • M 2 and hence M 1 • M 2 is equal to the rowspace of the matrix A ′ whose rows are the vectorial representations of the elements in

Lemma 7
Let a, b be positive integers with a < b.Then, the number of a × b matrices over R = GR(p r , s) of (full) free rank a is NM(a, b

Lemma 8
Let A ⊆ S be an R-module of rank α and B ⊆ S be a free R-module of free rank β.Assume that φ A•B 2 = φ A φ B 2 and that there is an element e ∈ A • B \ A with eB ⊆ A • B. Then, there is an y ∈ B \ R such that yB ⊆ B. Proof Let a 1 , . . ., aα be an m-shaped basis of A and b 1 , . . ., b β be a basis of B. Due to e ∈ A • B, there are coefficients e i,j ∈ R such that e = α i=1 β j=1 e i,j b j =: b ′ i a i .(12) Due to the fact that e / ∈ A, there is an η ∈ {1, . . ., α} with b ′ η aη / ∈ A. In particular, y := g v(aη) m b ′ η ∈ B \ R. We show that y fulfills yB ⊆ B. Let now b ∈ B. Since by assumption eb ∈ A • B, there are c i,j ∈ R with eb = α i=1 β j=1 c i,j b j a i .By (12), we can also write eb = α i=1 β j=1 e i,j b j b a i = α i=1 b ′i ba i .Due to the maximality of the rank profile of A • B 2 , i.e., φ A•B 2 = φ A φ B 2 , we have that the coefficients c i ∈ B 2 of any representation c = i c i a i of an element c ∈ A • B 2 are unique modulo M r−v(ai) .Hence, for every i = 1, . . ., α, there existsχ i ∈ B 2 such that b ′ i b = β j=1 c i,j b j + g r−v(ai) m χ i .Thus, withβ j=1 c η,j b j ∈ B, g v(ai) m ∈ R, and g r m = 0, we get yb = g j b j + g r m χη ∈ B.
λ i=1 S i =: E ′ E .Choose any e ∈ E ′ \ E .Since F contains 1 by assumption, we have e ∈ A • B. Due to A ⊆ E , we have e / ∈ A. Furthermore, we have E ′ • B = E • B, so all conditions on e of Lemma 8 are fulfilled.

Lemma 10 (
[24, Proposition 7.16]) Let A ∈ R a×b .Then, the Smith normal form D of A, as well as the corresponding transformation matrices S and T , can be computed inO(ab min{a, b} ω−2 log(a + b)) operations in R.Lemma 11 Let A ∈ R a×b .An m-shaped basis of the right kernel of A can be computed in O(ab min{a, b} ω−2 log(a + b)) operations in R. Proof We compute the Smith normal form D = SAT and the transformation matrices S and T of A. To compute the right kernel, we need to solve the homogeneous linear system Ax = 0 for x.Using the Smith normal form, we can rewrite it into DT −1 x = 0. Denote y := T −1 x and first solve Dy = 0. W.l.o.g., let the diagonal entries of D be of the form 

6 . 3 Theorem 6
rows of KT ⊤ form an m-shaped basis of the right kernel of A. Note that this matrix multiplication can be implemented with complexity O(b 2 ) since K has only at most one entry per row and column.⊓⊔ Lemma 12 Let A ∈ R a×b and b ∈ R a .A solution of the linear system Ax = b (or, in case no solution exists, the information that it does not exist) can be obtained inO(ab min{a, b} ω−2 log(a + b)) operations in R.Proof We follow the same strategy and the notation as in Lemma 11.SolveD T −1 x =: y = Sb =: b ′ .forone y.The system has a solution if and only if b ′ j ∈ M ij for j = 1, . . ., r ′ , and b ′ j = 0 for all j > r ′ .In case it has a solution, it is easy to obtain a solution y.Then we only need to compute x = T y, which is a solution of Ax = b.The heaviest step is to compute the Smith normal form, which proves the complexity statement.⊓ ⊔ Complexity of the LRPC Decoder over Galois Rings Suppose that the inverse elements f −1 1 , . . ., f −1 λ are precomputed.Then, Algorithm 1 has complexity Õ(λ 2 n 2 m) operations in R.Proof The heaviest steps of Algorithm 1 (see Section 4) are as follows: Line 1 computes the syndrome s from the received word.This is a vector-matrix multiplication in S, which costs O(n(n − k)) ⊆ O(n 2 ) operations in S, i.e., Õ(n 2 m) operations in R.

1 i=1s
is a subring of R N×N ; (P2) G * φ = G φ ∩ GL(N, R); (P3) (G * φ , •) is a subgroup of GL(N, R); (P4) (H φ , +) is a subgroup of R N×m ; (P5) For every Y ∈ G φ , Z ∈ H φ , we have Y Z ∈ H φ ; (P6) If Y ∈ G * φ , then Z −→ Y Z is a bijection of H φ .With these tools and from Proposition 2 we can deduce the two corollaries.Proof (Proof of Corollary 1) First, denote by n i := φ M i and let N := n 0 + . . .+ n r−1 , and fix an R-basis of S so that we identify S with R m .Fix a free module N ∈ Free(M) and let T N be such that rowspace(T N ) = N By Proposition 2, we haveFree(M) = {rowspace(Y T N + Z) | Y ∈ G * φ , Z ∈ H φ } = {rowspace(T N + Y −1 Z) | Y ∈ G * φ , Z ∈ H φ } = {rowspace(T N + Z) | Z ∈ H φ },where the last equality follows from (P6).It is immediate to see that rowspace(T N + Z) = N = rowspace(T N ) if and only if all the rows of Z belong to N .For the ith block of n i rows of Z, we can freely choose among all the elements in g r−i m N , that are s iN .Hence we get|{Z ∈ H φ | rowspace(T N + Z) = N }| = |{Z ∈ H φ | rowspace(Z) ⊆ N }| = r−in i N .

s.
in i m s in i N = s (m−N) r−1 i=1 in i .⊓ ⊔ Proof (Proof ofCorollary 2) Let M be an R-submodule of S with rank profile φ M and observe that M ∈ Mod(φ, N ) if and only if N ∈ Free(M).Identify S with R m , and define With this notation, we have Mod(φ, N ) = {rowspace(DT ) | T ∈ R N×m , rowspace(T ) = N }.Moreover, there are exactly | GL(N, R)| many matrices T ∈ R N×m such that rowspace(T ) = N , and they are obtained by fixing any matrix T and considering {A T | A ∈ GL(N, R)}.Let us fix M := rowspace(D T ) ∈ Mod(φ, N ).We count for how many A ∈ GL(N, R) we have rowspace(DA T ) = M.By Proposition 2, this happens if and only if there exist Y ∈ G * φ , Z ∈ H φ such that A T = Y T + Z, which in turn is equivalent to the condition that there exists Y ∈ G * φ such that (A − Y ) T ∈ H φ .Let us call S := A − Y and divide S in r × r blocks S i,j ∈ R n i ×n j , for i, j ∈ {0, . . ., r − 1}.Divide also T in r blocks T i ∈ R n i ×m for i ∈ {0, . . ., r − 1}.Hence, we have, for every i ∈ {0, . . ., r − 1} r−1 j=0

.
Therefore, we have rowspace(DA T ) = M if and only if A = Y + S. It is easy to see that this holds if and only if A ∈ G * φ .Hence, the R-submodule M is counted |G * φ | many times.Since the choice of M was arbitrary, we conclude |Mod(φ, N )| = | GL(N, R)| |G * φ | .⊓ ⊔ 0 0 . . .0 0 . . .0